ISO 27001 Consulting

ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). It does not prescribe which specific security controls an organisation must implement — instead, it defines how an organisation systematically plans, implements, monitors, and improves information security. This risk-based flexibility is what makes the standard so versatile — and also demanding, because it requires genuine engagement with your business processes.

In 2026, the certificate has become de-facto mandatory in many B2B tenders. Customers in financial services, manufacturing, and the public sector require it as evidence in supplier audits. At the same time, ISO 27001 addresses a substantial portion of the requirements arising from NIS2, DORA, and the EU AI Act — one governance framework, multiple compliance outcomes.

The economic value, however, lies in the process behind the audit stamp. Organisations that implement ISO 27001 seriously detect risks earlier, respond to incidents more systematically, and can demonstrate that security is part of their day-to-day operations rather than a one-off project.

We start with a structured gap analysis against the Annex A controls of ISO 27001:2022. The output is a prioritised implementation roadmap calibrated to the actual maturity of your organisation, with realistic effort estimates for the open items — not a generic checklist, but a defensible plan.

Next, we define the ISMS scope together. This decision has a significant impact on project effort and on the eventual audit cost. We help you choose a scope that is regulatorily sound and operationally implementable within your existing structures. We then run risk assessment and risk treatment, and produce the Statement of Applicability (SoA) — the audit-critical core artefact of your ISMS.

During implementation, we support the development of policies, procedures, and operational evidence. We train key roles, run internal audits, and prepare your team for the external certification audit. During the audit itself, we act as your subject-matter sparring partner and help you address any corrective actions quickly and in an audit-compliant way.

The 2022 revision fundamentally restructured the Annex A controls: 114 controls in 14 categories were consolidated into 93 controls across four themes (Organisational, People, Physical, Technological). Eleven new controls were introduced covering topics including threat intelligence, cloud security, ICT readiness for business continuity, data masking, and secure coding.

Organisations still holding a certification under the 2013 version face a transition deadline at the end of October 2026. Anyone certifying or recertifying now should go directly to the 2022 standard — this avoids duplicate work. We map the old controls to the new structure systematically and identify the concrete gaps to the 2022 requirements.

The new controls are particularly relevant for organisations that use cloud services, run their own software development, or rely on critical third-party providers. For each control we evaluate what evidence is appropriate in your context — and which controls can be marked "not applicable" with a defensible justification.

The most common reason for failed certifications is a poorly chosen ISMS scope. Too broad creates disproportionate effort; too narrow gets pushed back by the auditor as trivial or undermines the marketing value of the certificate. We help you find a scope that is both auditable and economically implementable.

The second typical mistake is producing volumes of documentation that no one in the organisation actually uses. A thick policy manual that nobody reads does not protect — it only creates liability. We build documentation that remains usable in day-to-day work: short policies, clear ownership, procedures embedded in existing tools (Jira, Confluence, SharePoint) rather than locked in PDFs.

Third, many organisations underestimate the coordination effort: ISO 27001 is not an IT project — it is an organisation-wide governance initiative. It requires inputs from IT, HR, Legal, Procurement, and executive management. We act as the external programme manager and shoulder this coordination burden — you provide the subject-matter input, we build the system.